Changes in nsproxy.c

0fc8f6200d2313278fbf4539bbab74677c685531 - Merge drm/drm-fixes into drm-misc-fixes

Mon, 27 Apr 2026 08:26:49 +0000

Merge drm/drm-fixes into drm-misc-fixesGetting fixes and updates from v7.1-rc1.Signed-off-by: Thomas Zimmermann List of files: /linux/kernel/nsproxy.c

f4b369c6fe0ceaba2da2daff8c9eb415f85926dd - Merge branch 'next' into for-linus

Mon, 20 Apr 2026 01:28:57 +0000

Merge branch 'next' into for-linusPrepare input updates for 7.1 merge window. List of files: /linux/kernel/nsproxy.c

7c8a4671dc3247a26a702e5f5996e9f453d7070d - Merge tag 'vfs-7.1-rc1.mount.v2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

Wed, 15 Apr 2026 02:59:25 +0000

Merge tag 'vfs-7.1-rc1.mount.v2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfsPull vfs mount updates from Christian Brauner: - Add FSMOUNT_NAMESPACE flag to fsmount() that creates a new mount namespace with the newly created filesystem attached to a copy of the real rootfs. This returns a namespace file descriptor instead of an O_PATH mount fd, similar to how OPEN_TREE_NAMESPACE works for open_tree(). This allows creating a new filesystem and immediately placing it in a new mount namespace in a single operation, which is useful for container runtimes and other namespace-based isolation mechanisms. This accompanies OPEN_TREE_NAMESPACE and avoids a needless detour via OPEN_TREE_NAMESPACE to get the same effect. Will be especially useful when you mount an actual filesystem to be used as the container rootfs. - Currently, creating a new mount namespace always copies the entire mount tree from the caller's namespace. For containers and sandboxes that intend to build their mount table from scratch this is wasteful: they inherit a potentially large mount tree only to immediately tear it down. This series adds support for creating a mount namespace that contains only a clone of the root mount, with none of the child mounts. Two new flags are introduced: - CLONE_EMPTY_MNTNS (0x400000000) for clone3(), using the 64-bit flag space - UNSHARE_EMPTY_MNTNS (0x00100000) for unshare() Both flags imply CLONE_NEWNS. The resulting namespace contains a single nullfs root mount with an immutable empty directory. The intended workflow is to then mount a real filesystem (e.g., tmpfs) over the root and build the mount table from there. - Allow MOVE_MOUNT_BENEATH to target the caller's rootfs, allowing to switch out the rootfs without pivot_root(2). The traditional approach to switching the rootfs involves pivot_root(2) or a chroot_fs_refs()-based mechanism that atomically updates fs->root for all tasks sharing the same fs_struct. This has consequences for fork(), unshare(CLONE_FS), and setns(). This series instead decomposes root-switching into individually atomic, locally-scoped steps: fd_tree = open_tree(-EBADF, "/newroot", OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC); fchdir(fd_tree); move_mount(fd_tree, "", AT_FDCWD, "/", MOVE_MOUNT_BENEATH | MOVE_MOUNT_F_EMPTY_PATH); chroot("."); umount2(".", MNT_DETACH); Since each step only modifies the caller's own state, the fork/unshare/setns races are eliminated by design. A key step to making this possible is to remove the locked mount restriction. Originally MOVE_MOUNT_BENEATH doesn't support mounting beneath a mount that is locked. The locked mount protects the underlying mount from being revealed. This is a core mechanism of unshare(CLONE_NEWUSER | CLONE_NEWNS). The mounts in the new mount namespace become locked. That effectively makes the new mount table useless as the caller cannot ever get rid of any of the mounts no matter how useless they are. We can lift this restriction though. We simply transfer the locked property from the top mount to the mount beneath. This works because what we care about is to protect the underlying mount aka the parent. The mount mounted between the parent and the top mount takes over the job of protecting the parent mount from the top mount mount. This leaves us free to remove the locked property from the top mount which can consequently be unmounted: unshare(CLONE_NEWUSER | CLONE_NEWNS) and we inherit a clone of procfs on /proc then currently we cannot unmount it as: umount -l /proc will fail with EINVAL because the procfs mount is locked. After this series we can now do: mount --beneath -t tmpfs tmpfs /proc umount -l /proc after which a tmpfs mount has been placed beneath the procfs mount. The tmpfs mount has become locked and the procfs mount has become unlocked. This means you can safely modify an inherited mount table after unprivileged namespace creation. Afterwards we simply make it possible to move a mount beneath the rootfs allowing to upgrade the rootfs. Removing the locked restriction makes this very useful for containers created with unshare(CLONE_NEWUSER | CLONE_NEWNS) to reshuffle an inherited mount table safely and MOVE_MOUNT_BENEATH makes it possible to switch out the rootfs instead of using the costly pivot_root(2).* tag 'vfs-7.1-rc1.mount.v2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: selftests/namespaces: remove unused utils.h include from listns_efault_test selftests/fsmount_ns: add missing TARGETS and fix cap test selftests/empty_mntns: fix wrong CLONE_EMPTY_MNTNS hex value in comment selftests/empty_mntns: fix statmount_alloc() signature mismatch selftests/statmount: remove duplicate wait_for_pid() mount: always duplicate mount selftests/filesystems: add MOVE_MOUNT_BENEATH rootfs tests move_mount: allow MOVE_MOUNT_BENEATH on the rootfs move_mount: transfer MNT_LOCKED selftests/filesystems: add clone3 tests for empty mount namespaces selftests/filesystems: add tests for empty mount namespaces namespace: allow creating empty mount namespaces selftests: add FSMOUNT_NAMESPACE tests selftests/statmount: add statmount_alloc() helper tools: update mount.h header mount: add FSMOUNT_NAMESPACE mount: simplify __do_loopback() mount: start iterating from start of rbtree List of files: /linux/kernel/nsproxy.c

dc0dfa73381bc8b2ebd298face5dbe7e240cd80c - Merge tag 'namespaces-7.1-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

Mon, 13 Apr 2026 20:02:49 +0000

Merge tag 'namespaces-7.1-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfsPull namespace update from Christian Brauner: "Add two simple helper macros for the namespace infrastructure"* tag 'namespaces-7.1-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: nsproxy: Add FOR_EACH_NS_TYPE() X-macro and CLONE_NS_ALL List of files: /linux/kernel/nsproxy.c

935a04923ad293cd89bf6ec23fc4efc9cf1a0142 - nsproxy: Add FOR_EACH_NS_TYPE() X-macro and CLONE_NS_ALL

Thu, 12 Mar 2026 10:04:36 +0000

nsproxy: Add FOR_EACH_NS_TYPE() X-macro and CLONE_NS_ALLIntroduce the FOR_EACH_NS_TYPE(X) macro as the single source of truthfor the set of (struct type, CLONE_NEW* flag) pairs that define Linuxnamespace types.Currently, the list of CLONE_NEW* flags is duplicated inline inmultiple call sites and would need another copy in each new consumer.This makes it easy to miss one when a new namespace type is added.Derive two things from the X-macro:- CLONE_NS_ALL: Bitmask of all known CLONE_NEW* flags, usable as a validity mask or iteration bound.- ns_common_type(): Rewritten to use the X-macro via a leading-comma _Generic pattern, so the struct-to-flag mapping stays in sync with the flag set automatically.Replace the inline flag enumerations in copy_namespaces(),unshare_nsproxy_namespaces(), check_setns_flags(), andksys_unshare() with CLONE_NS_ALL.When a new namespace type is added, only FOR_EACH_NS_TYPE needs tobe updated; CLONE_NS_ALL, ns_common_type(), and all the call sitespick up the change automatically.Cc: Christian Brauner Cc: Günther Noack Signed-off-by: Mickaël Salaün Link: https://patch.msgid.link/20260312100444.2609563-4-mic@digikod.netReviewed-by: Christian Brauner Signed-off-by: Christian Brauner List of files: /linux/kernel/nsproxy.c

0421ccdfad0d92713a812a5aeb7d07b0ea7213c8 - Merge tag 'v7.0-rc3' into next

Thu, 12 Mar 2026 17:44:42 +0000

Merge tag 'v7.0-rc3' into nextSync up with the mainline to brig up the latest changes, specificallychanges to ALPS driver. List of files: /linux/kernel/nsproxy.c

4e9f7592b6f5fe4929b2d755785788acba123db5 - Merge patch series "namespace: allow creating empty mount namespaces"

Wed, 11 Mar 2026 22:01:17 +0000

Merge patch series "namespace: allow creating empty mount namespaces"Christian Brauner says:Currently, creating a new mount namespace always copies the entire mounttree from the caller's namespace. For containers and sandboxes thatintend to build their mount table from scratch this is wasteful: theyinherit a potentially large mount tree only to immediately tear it down.This series adds support for creating a mount namespace that containsonly a clone of the root mount, with none of the child mounts. Two newflags are introduced:- CLONE_EMPTY_MNTNS (0x400000000) for clone3(), using the 64-bit flag space.- UNSHARE_EMPTY_MNTNS (0x00100000) for unshare(), reusing the CLONE_PARENT_SETTID bit which has no meaning for unshare.Both flags imply CLONE_NEWNS. The resulting namespace contains a singlenullfs root mount with an immutable empty directory. The intendedworkflow is to then mount a real filesystem (e.g., tmpfs) over the rootand build the mount table from there.* patches from https://patch.msgid.link/20260306-work-empty-mntns-consolidated-v1-0-6eb30529bbb0@kernel.org: selftests/filesystems: add clone3 tests for empty mount namespaces selftests/filesystems: add tests for empty mount namespaces namespace: allow creating empty mount namespacesLink: https://patch.msgid.link/20260306-work-empty-mntns-consolidated-v1-0-6eb30529bbb0@kernel.orgSigned-off-by: Christian Brauner List of files: /linux/kernel/nsproxy.c

9d4e752a24f740b31ca827bfab07010e4e7f34b0 - namespace: allow creating empty mount namespaces

Fri, 06 Mar 2026 16:28:37 +0000

namespace: allow creating empty mount namespacesAdd support for creating a mount namespace that contains only a copy ofthe root mount from the caller's mount namespace, with none of thechild mounts. This is useful for containers and sandboxes that want tostart with a minimal mount table and populate it from scratch ratherthan inheriting and then tearing down the full mount tree.Two new flags are introduced:- CLONE_EMPTY_MNTNS for clone3(), using the 64-bit flag space.- UNSHARE_EMPTY_MNTNS for unshare(), reusing the CLONE_PARENT_SETTID bit which has no meaning for unshare.Both flags imply CLONE_NEWNS. For the unshare path,UNSHARE_EMPTY_MNTNS is converted to CLONE_EMPTY_MNTNS inunshare_nsproxy_namespaces() before it reaches copy_mnt_ns(), so themount namespace code only needs to handle a single flag.In copy_mnt_ns(), when CLONE_EMPTY_MNTNS is set, clone_mnt() is usedinstead of copy_tree() to clone only the root mount. The caller's rootand working directory are both reset to the root dentry of the newmount.The cleanup variables are changed from vfsmount pointers with__free(mntput) to struct path with __free(path_put) because the emptymount namespace path needs to release both mount and dentry referenceswhen replacing the caller's root and pwd. In the normal (non-empty)path only the mount component is set, and dput(NULL) is a no-op sopath_put remains correct there as well.Link: https://patch.msgid.link/20260306-work-empty-mntns-consolidated-v1-1-6eb30529bbb0@kernel.orgSigned-off-by: Christian Brauner List of files: /linux/kernel/nsproxy.c

cc4adab164b772a34b3340d644b7c4728498581e - Merge tag 'v6.19-rc1' into msm-next

Tue, 20 Jan 2026 22:06:55 +0000

Merge tag 'v6.19-rc1' into msm-nextMerge Linux 6.19-rc1 in order to catch up with other changes (e.g. UBWCconfig database defining UBWC_6).Signed-off-by: Dmitry Baryshkov List of files: /linux/kernel/nsproxy.c

24f171c7e145f43b9f187578e89b0982ce87e54c - Merge tag 'asoc-fix-v6.19-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

Sun, 21 Dec 2025 10:11:11 +0000

Merge tag 'asoc-fix-v6.19-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linusASoC: Fixes for v6.19We've been quite busy with fixes since the merge window, though not inany particularly exciting ways - the standout thing is the fix for _SXcontrols which were broken by a change to how we do clamping, otherwiseit's all fairly run of the mill fixes and quirks. List of files: /linux/kernel/nsproxy.c

5add3c3c280a35f7e258e9cef7607db5a2e56fdc - Merge drm/drm-next into drm-xe-next

Fri, 19 Dec 2025 10:51:22 +0000

Merge drm/drm-next into drm-xe-nextBackmerging to bring in 6.19-rc1. An important upstream bugfix andto help unblock PTL CI.Signed-off-by: Thomas Hellström List of files: /linux/kernel/nsproxy.c

b8304863a3990d0f18c38e5b94191830a63ee1af - Merge drm/drm-next into drm-intel-next

Mon, 15 Dec 2025 13:24:02 +0000

Merge drm/drm-next into drm-intel-nextSync-up some display code needed for Async flips refactor.Signed-off-by: Rodrigo Vivi List of files: /linux/kernel/nsproxy.c

84318277d6334c6981ab326d4acc87c6a6ddc9b8 - Merge remote-tracking branch 'drm/drm-fixes' into drm-misc-fixes

Mon, 15 Dec 2025 11:53:27 +0000

Merge remote-tracking branch 'drm/drm-fixes' into drm-misc-fixesPull in rc1 to include all changes since the merge window closed,and grab all fixes and changes from drm/drm-next.Signed-off-by: Maarten Lankhorst List of files: /linux/kernel/nsproxy.c

7f790dd21a931c61167f7bdc327aecf2cebad327 - Merge drm/drm-next into drm-misc-next

Mon, 15 Dec 2025 08:27:39 +0000

Merge drm/drm-next into drm-misc-nextLet's kickstart the v6.20 (7.0?) release cycle.Signed-off-by: Maxime Ripard List of files: /linux/kernel/nsproxy.c

a4a508df2aa34f8650afde54ea804321c618f45f - Merge tag 'v6.18' into next

Sat, 13 Dec 2025 09:18:20 +0000

Merge tag 'v6.18' into nextSync up with the mainline to bring in the latest APIs. List of files: /linux/kernel/nsproxy.c

415d34b92c1f921a9ff3c38f56319cbc5536f642 - Merge tag 'namespace-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

Mon, 01 Dec 2025 17:47:41 +0000

Merge tag 'namespace-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfsPull namespace updates from Christian Brauner: "This contains substantial namespace infrastructure changes including a new system call, active reference counting, and extensive header cleanups. The branch depends on the shared kbuild branch for -fms-extensions support. Features: - listns() system call Add a new listns() system call that allows userspace to iterate through namespaces in the system. This provides a programmatic interface to discover and inspect namespaces, addressing longstanding limitations: Currently, there is no direct way for userspace to enumerate namespaces. Applications must resort to scanning /proc/*/ns/ across all processes, which is: - Inefficient - requires iterating over all processes - Incomplete - misses namespaces not attached to any running process but kept alive by file descriptors, bind mounts, or parent references - Permission-heavy - requires access to /proc for many processes - No ordering or ownership information - No filtering per namespace type The listns() system call solves these problems: ssize_t listns(const struct ns_id_req *req, u64 *ns_ids, size_t nr_ns_ids, unsigned int flags); struct ns_id_req { __u32 size; __u32 spare; __u64 ns_id; struct /* listns */ { __u32 ns_type; __u32 spare2; __u64 user_ns_id; }; }; Features include: - Pagination support for large namespace sets - Filtering by namespace type (MNT_NS, NET_NS, USER_NS, etc.) - Filtering by owning user namespace - Permission checks respecting namespace isolation - Active Reference Counting Introduce an active reference count that tracks namespace visibility to userspace. A namespace is visible in the following cases: - The namespace is in use by a task - The namespace is persisted through a VFS object (namespace file descriptor or bind-mount) - The namespace is a hierarchical type and is the parent of child namespaces The active reference count does not regulate lifetime (that's still done by the normal reference count) - it only regulates visibility to namespace file handles and listns(). This prevents resurrection of namespaces that are pinned only for internal kernel reasons (e.g., user namespaces held by file->f_cred, lazy TLB references on idle CPUs, etc.) which should not be accessible via (1)-(3). - Unified Namespace Tree Introduce a unified tree structure for all namespaces with: - Fixed IDs assigned to initial namespaces - Lookup based solely on inode number - Maintained list of owned namespaces per user namespace - Simplified rbtree comparison helpers Cleanups - Header Reorganization: - Move namespace types into separate header (ns_common_types.h) - Decouple nstree from ns_common header - Move nstree types into separate header - Switch to new ns_tree_{node,root} structures with helper functions - Use guards for ns_tree_lock - Initial Namespace Reference Count Optimization - Make all reference counts on initial namespaces a nop to avoid pointless cacheline ping-pong for namespaces that can never go away - Drop custom reference count initialization for initial namespaces - Add NS_COMMON_INIT() macro and use it for all namespaces - pid: rely on common reference count behavior - Miscellaneous Cleanups - Rename exit_task_namespaces() to exit_nsproxy_namespaces() - Rename is_initial_namespace() and make argument const - Use boolean to indicate anonymous mount namespace - Simplify owner list iteration in nstree - nsfs: raise SB_I_NODEV, SB_I_NOEXEC, and DCACHE_DONTCACHE explicitly - nsfs: use inode_just_drop() - pidfs: raise DCACHE_DONTCACHE explicitly - pidfs: simplify PIDFD_GET__NAMESPACE ioctls - libfs: allow to specify s_d_flags - cgroup: add cgroup namespace to tree after owner is set - nsproxy: fix free_nsproxy() and simplify create_new_namespaces() Fixes: - setns(pidfd, ...) race condition Fix a subtle race when using pidfds with setns(). When the target task exits after prepare_nsset() but before commit_nsset(), the namespace's active reference count might have been dropped. If setns() then installs the namespaces, it would bump the active reference count from zero without taking the required reference on the owner namespace, leading to underflow when later decremented. The fix resurrects the ownership chain if necessary - if the caller succeeded in grabbing passive references, the setns() should succeed even if the target task exits or gets reaped. - Return EFAULT on put_user() error instead of success - Make sure references are dropped outside of RCU lock (some namespaces like mount namespace sleep when putting the last reference) - Don't skip active reference count initialization for network namespace - Add asserts for active refcount underflow - Add asserts for initial namespace reference counts (both passive and active) - ipc: enable is_ns_init_id() assertions - Fix kernel-doc comments for internal nstree functions - Selftests - 15 active reference count tests - 9 listns() functionality tests - 7 listns() permission tests - 12 inactive namespace resurrection tests - 3 threaded active reference count tests - commit_creds() active reference tests - Pagination and stress tests - EFAULT handling test - nsid tests fixes"* tag 'namespace-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (103 commits) pidfs: simplify PIDFD_GET__NAMESPACE ioctls nstree: fix kernel-doc comments for internal functions nsproxy: fix free_nsproxy() and simplify create_new_namespaces() selftests/namespaces: fix nsid tests ns: drop custom reference count initialization for initial namespaces pid: rely on common reference count behavior ns: add asserts for initial namespace active reference counts ns: add asserts for initial namespace reference counts ns: make all reference counts on initial namespace a nop ipc: enable is_ns_init_id() assertions fs: use boolean to indicate anonymous mount namespace ns: rename is_initial_namespace() ns: make is_initial_namespace() argument const nstree: use guards for ns_tree_lock nstree: simplify owner list iteration nstree: switch to new structures nstree: add helper to operate on struct ns_tree_{node,root} nstree: move nstree types into separate header nstree: decouple from ns_common header ns: move namespace types into separate header ... List of files: /linux/kernel/nsproxy.c

2ace52718376fdb56aca863da2eebe70d7e2ddb1 - Merge branch 'objtool/core'

Fri, 21 Nov 2025 10:21:20 +0000

Merge branch 'objtool/core'Bring in the UDB and objtool data annotations to avoid conflicts while further extending the bug exceptions.Signed-off-by: Peter Zijlstra List of files: /linux/kernel/nsproxy.c

f39b6c468c52745dbca9a842d91c8373fda208ab - Merge tag 'v6.18-rc6' into for-linus

Tue, 18 Nov 2025 07:16:55 +0000

Merge tag 'v6.18-rc6' into for-linusSync up with the mainline to bring in definition ofINPUT_PROP_HAPTIC_TOUCHPAD. List of files: /linux/kernel/nsproxy.c

cefd55bd2159f427228d44864747243946296739 - nsproxy: fix free_nsproxy() and simplify create_new_namespaces()

Tue, 11 Nov 2025 21:29:44 +0000

nsproxy: fix free_nsproxy() and simplify create_new_namespaces()Make it possible to handle NULL being passed to the reference counthelpers instead of forcing the caller to handle this. Afterwards we cannicely allow a cleanup guard to handle nsproxy freeing.Active reference count handling is not done in nsproxy_free() but ratherin free_nsproxy() as nsproxy_free() is also called from setns() failurepaths where a new nsproxy has been prepared but has not been marked asactive via switch_task_namespaces().Link: https://lore.kernel.org/690bfb9e.050a0220.2e3c35.0013.GAE@google.comLink: https://patch.msgid.link/20251111-sakralbau-guthaben-7dcc277d337f@braunerFixes: 3c9820d5c64a ("ns: add active reference count")Reported-by: syzbot+0b2e79f91ff6579bfa5b@syzkaller.appspotmail.comReported-by: syzbot+0a8655a80e189278487e@syzkaller.appspotmail.comSigned-off-by: Christian Brauner List of files: /linux/kernel/nsproxy.c

8ebfb9896c97ab609222460e705f425cb3f0aad0 - Merge patch series "nstree: listns()"

Thu, 30 Oct 2025 12:04:20 +0000

Merge patch series "nstree: listns()"Christian Brauner says:As announced a while ago this is the next step building on the nstreework from prior cycles. There's a bunch of fixes and semantic cleanupsin here and a ton of tests.Currently listns() is relying on active namespace reference counts whichare introduced alongside this series.While a namespace is on the namespace trees with a valid reference countit is possible to reopen it through a namespace file handle. This is allfine but has some issues that should be addressed.On current kernels a namespace is visible to userspace in thefollowing cases:(1) The namespace is in use by a task.(2) The namespace is persisted through a VFS object (namespace file descriptor or bind-mount). Note that (2) only cares about direct persistence of the namespace itself not indirectly via e.g., file->f_cred file references or similar.(3) The namespace is a hierarchical namespace type and is the parent of a single or multiple child namespaces.Case (3) is interesting because it is possible that a parent namespacemight not fulfill any of (1) or (2), i.e., is invisible to userspace butit may still be resurrected through the NS_GET_PARENT ioctl().Currently namespace file handles allow much broader access to namespacesthan what is currently possible via (1)-(3). The reason is thatnamespaces may remain pinned for completely internal reasons yet areinaccessible to userspace.For example, a user namespace my remain pinned by get_cred() calls tostash the opener's credentials into file->f_cred. As it stands filehandles allow to resurrect such a users namespace even though thisshould not be possible via (1)-(3). This is a fundamental uapi changethat we shouldn't do if we don't have to.Consider the following insane case: Various architectures support theCONFIG_MMU_LAZY_TLB_REFCOUNT option which uses lazy TLB destruction.When this option is set a userspace task's struct mm_struct may be usedfor kernel threads such as the idle task and will only be destroyed oncethe cpu's runqueue switches back to another task. But because of ptrace()permission checks struct mm_struct stashes the user namespace of thetask that struct mm_struct originally belonged to. The kernel threadwill take a reference on the struct mm_struct and thus pin it.So on an idle system user namespaces can be persisted for arbitraryamounts of time which also means that they can be resurrected usingnamespace file handles. That makes no sense whatsoever. The problem isof course excarabted on large systems with a huge number of cpus.To handle this nicely we introduce an active reference count whichtracks (1)-(3). This is easy to do as all of these things are alreadymanaged centrally. Only (1)-(3) will count towards the active referencecount and only namespaces which are active may be opened via namespacefile handles.The problem is that namespaces may be resurrected. Which means that theycan become temporarily inactive and will be reactived some time later.Currently the only example of this is the SIOGCSKNS socket ioctl. TheSIOCGSKNS ioctl allows to open a network namespace file descriptor basedon a socket file descriptor.If a socket is tied to a network namespace that subsequently becomesinactive but that socket is persisted by another process in anothernetwork namespace (e.g., via SCM_RIGHTS of pidfd_getfd()) then theSIOCGSKNS ioctl will resurrect this network namespace.So calls to open_related_ns() and open_namespace() will end upresurrecting the corresponding namespace tree.Note that the active reference count does not regulate the lifetime ofthe namespace itself. This is still done by the normal reference count.The active reference count can only be elevated if the regular referencecount is elevated.The active reference count also doesn't regulate the presence of anamespace on the namespace trees. It only regulates its visiblity tonamespace file handles (and in later patches to listns()).A namespace remains on the namespace trees from creation until itsactual destruction. This will allow the kernel to always reach anynamespace trivially and it will also enable subsystems like bpf to walkthe namespace lists on the system for tracing or general introspectionpurposes.Note that different namespaces have different visibility lifetimes oncurrent kernels. While most namespace are immediately released when thelast task using them exits, the user- and pid namespace are persistedand thus both remain accessible via /proc//ns/.The user namespace lifetime is aliged with struct cred and is onlyreleased through exit_creds(). However, it becomes inaccessible touserspace once the last task using it is reaped, i.e., whenrelease_task() is called and all proc entries are flushed. Similarly,the pid namespace is also visible until the last task using it has beenreaped and the associated pid numbers are freed.The active reference counts of the user- and pid namespace aredecremented once the task is reaped.Based on the namespace trees and the active reference count, a newlistns() system call that allows userspace to iterate through namespacesin the system. This provides a programmatic interface to discover andinspect namespaces, enhancing existing namespace apis.Currently, there is no direct way for userspace to enumerate namespacesin the system. Applications must resort to scanning /proc//ns/across all processes, which is:1. Inefficient - requires iterating over all processes2. Incomplete - misses inactive namespaces that aren't attached to any running process but are kept alive by file descriptors, bind mounts, or parent namespace references3. Permission-heavy - requires access to /proc for many processes4. No ordering or ownership.5. No filtering per namespace type: Must always iterate and check all namespaces.The list goes on. The listns() system call solves these problems byproviding direct kernel-level enumeration of namespaces. It is similarto listmount() but obviously tailored to namespaces./* * @req: Pointer to struct ns_id_req specifying search parameters * @ns_ids: User buffer to receive namespace IDs * @nr_ns_ids: Size of ns_ids buffer (maximum number of IDs to return) * @flags: Reserved for future use (must be 0) */ssize_t listns(const struct ns_id_req *req, u64 *ns_ids, size_t nr_ns_ids, unsigned int flags);Returns:- On success: Number of namespace IDs written to ns_ids- On error: Negative error code/* * @size: Structure size * @ns_id: Starting point for iteration; use 0 for first call, then * use the last returned ID for subsequent calls to paginate * @ns_type: Bitmask of namespace types to include (from enum ns_type): * 0: Return all namespace types * MNT_NS: Mount namespaces * NET_NS: Network namespaces * USER_NS: User namespaces * etc. Can be OR'd together * @user_ns_id: Filter results to namespaces owned by this user namespace: * 0: Return all namespaces (subject to permission checks) * LISTNS_CURRENT_USER: Namespaces owned by caller's user namespace * Other value: Namespaces owned by the specified user namespace ID */struct ns_id_req { __u32 size; /* sizeof(struct ns_id_req) */ __u32 spare; /* Reserved, must be 0 */ __u64 ns_id; /* Last seen namespace ID (for pagination) */ __u32 ns_type; /* Filter by namespace type(s) */ __u32 spare2; /* Reserved, must be 0 */ __u64 user_ns_id; /* Filter by owning user namespace */};Example 1: List all namespacesvoid list_all_namespaces(void){ struct ns_id_req req = { .size = sizeof(req), .ns_id = 0, /* Start from beginning */ .ns_type = 0, /* All types */ .user_ns_id = 0, /* All user namespaces */ }; uint64_t ids[100]; ssize_t ret; printf("All namespaces in the system:\n"); do { ret = listns(&req, ids, 100, 0); if (ret < 0) { perror("listns"); break; } for (ssize_t i = 0; i < ret; i++) printf(" Namespace ID: %llu\n", (unsigned long long)ids[i]); /* Continue from last seen ID */ if (ret > 0) req.ns_id = ids[ret - 1]; } while (ret == 100); /* Buffer was full, more may exist */}Example 2 : List network namespaces onlyvoid list_network_namespaces(void){ struct ns_id_req req = { .size = sizeof(req), .ns_id = 0, .ns_type = NET_NS, /* Only network namespaces */ .user_ns_id = 0, }; uint64_t ids[100]; ssize_t ret; ret = listns(&req, ids, 100, 0); if (ret < 0) { perror("listns"); return; } printf("Network namespaces: %zd found\n", ret); for (ssize_t i = 0; i < ret; i++) printf(" netns ID: %llu\n", (unsigned long long)ids[i]);}Example 3 : List namespaces owned by current user namespacevoid list_owned_namespaces(void){ struct ns_id_req req = { .size = sizeof(req), .ns_id = 0, .ns_type = 0, /* All types */ .user_ns_id = LISTNS_CURRENT_USER, /* Current userns */ }; uint64_t ids[100]; ssize_t ret; ret = listns(&req, ids, 100, 0); if (ret < 0) { perror("listns"); return; } printf("Namespaces owned by my user namespace: %zd\n", ret); for (ssize_t i = 0; i < ret; i++) printf(" ns ID: %llu\n", (unsigned long long)ids[i]);}Example 4 : List multiple namespace typesvoid list_network_and_mount_namespaces(void){ struct ns_id_req req = { .size = sizeof(req), .ns_id = 0, .ns_type = NET_NS | MNT_NS, /* Network and mount */ .user_ns_id = 0, }; uint64_t ids[100]; ssize_t ret; ret = listns(&req, ids, 100, 0); printf("Network and mount namespaces: %zd found\n", ret);}Example 5 : Pagination through large namespace setsvoid list_all_with_pagination(void){ struct ns_id_req req = { .size = sizeof(req), .ns_id = 0, .ns_type = 0, .user_ns_id = 0, }; uint64_t ids[50]; size_t total = 0; ssize_t ret; printf("Enumerating all namespaces with pagination:\n"); while (1) { ret = listns(&req, ids, 50, 0); if (ret < 0) { perror("listns"); break; } if (ret == 0) break; /* No more namespaces */ total += ret; printf(" Batch: %zd namespaces\n", ret); /* Last ID in this batch becomes start of next batch */ req.ns_id = ids[ret - 1]; if (ret < 50) break; /* Partial batch = end of results */ } printf("Total: %zu namespaces\n", total);}listns() respects namespace isolation and capabilities:(1) Global listing (user_ns_id = 0): - Requires CAP_SYS_ADMIN in the namespace's owning user namespace - OR the namespace must be in the caller's namespace context (e.g., a namespace the caller is currently using) - User namespaces additionally allow listing if the caller has CAP_SYS_ADMIN in that user namespace itself(2) Owner-filtered listing (user_ns_id != 0): - Requires CAP_SYS_ADMIN in the specified owner user namespace - OR the namespace must be in the caller's namespace context - This allows unprivileged processes to enumerate namespaces they own(3) Visibility: - Only "active" namespaces are listed - A namespace is active if it has a non-zero __ns_ref_active count - This includes namespaces used by running processes, held by open file descriptors, or kept active by bind mounts - Inactive namespaces (kept alive only by internal kernel references) are not visible via listns()* patches from https://patch.msgid.link/20251029-work-namespace-nstree-listns-v4-0-2e6f823ebdc0@kernel.org: (74 commits) selftests/namespace: test listns() pagination selftests/namespace: add stress test selftests/namespace: commit_creds() active reference tests selftests/namespace: third threaded active reference count test selftests/namespace: second threaded active reference count test selftests/namespace: first threaded active reference count test selftests/namespaces: twelth inactive namespace resurrection test selftests/namespaces: eleventh inactive namespace resurrection test selftests/namespaces: tenth inactive namespace resurrection test selftests/namespaces: ninth inactive namespace resurrection test selftests/namespaces: eigth inactive namespace resurrection test selftests/namespaces: seventh inactive namespace resurrection test selftests/namespaces: sixth inactive namespace resurrection test selftests/namespaces: fifth inactive namespace resurrection test selftests/namespaces: fourth inactive namespace resurrection test selftests/namespaces: third inactive namespace resurrection test selftests/namespaces: second inactive namespace resurrection test selftests/namespaces: first inactive namespace resurrection test selftests/namespaces: seventh listns() permission test selftests/namespaces: sixth listns() permission test ...Link: https://patch.msgid.link/20251029-work-namespace-nstree-listns-v4-0-2e6f823ebdc0@kernel.orgSigned-off-by: Christian Brauner List of files: /linux/kernel/nsproxy.c